Skip to content
Back to blog
Whispcal

The Apple review gauntlet

app-storeapple-reviewai-consentindie-devcompliance

If you're an indie developer shipping an AI-powered app to the App Store, let me save you some time: Apple cares deeply about how you handle AI, and they will reject your app until you get it right.

WhispCal's review saga started in mid-February 2026 and stretched across multiple submissions, each one revealing another layer of requirements I hadn't anticipated.

The first rejection

The initial submission seemed solid. I had authentication, a working app, premium subscriptions through RevenueCat, and what I thought was adequate privacy handling. Apple disagreed.

The feedback centered on AI consent. WhispCal uses generative AI to parse food descriptions into nutritional data — it's the core feature. Apple wanted explicit, informed consent before any AI processing happened. Not buried in terms of service. Not a passive toggle in settings. A clear, upfront consent flow.

Building the consent flow

On February 15th, I pushed one of the biggest commits in the project's history: "Implement AI consent flow with new database fields, secure storage, and an updated onboarding process including an edit mode."

This wasn't a simple checkbox. Apple wanted:

  • Clear explanation of what AI features the app uses
  • What data is sent to AI services
  • An explicit opt-in before any AI processing
  • The ability to revoke consent later
  • Consent state persisted securely, not just in local storage

I added new database fields to track consent status, used secure storage for the consent token, and rebuilt part of the onboarding flow to include an AI disclosure screen. The consent state was synced to the server so it could be verified before any AI API calls.

The feedback loop

Then came the rapid-fire iteration. Four commits on February 19th alone:

  • "fix feedback related to terms-of-use"
  • "more fix on apple feedback"
  • "More info on consent for apple"
  • "add consent when calibrating with AI"

Each commit was a response to specific reviewer feedback. The terms of use needed more detail about data processing. The consent screen needed more explicit language. The metabolic calibration feature — which uses AI to estimate calorie targets — needed its own separate consent because it processes different data than food logging.

The Apple Sign-In struggle

Running parallel to the consent saga was an unrelated but equally frustrating issue: Apple Sign-In kept breaking. Two commits in late February — "try fixing the apple signin" and "fix apple login hopefully?" — capture the desperation.

The question mark in that second commit message is doing a lot of work. Apple Sign-In has specific requirements around session handling, token refresh, and deep linking that interact poorly with Supabase's auth flow. Every fix seemed to work on the simulator but fail on real devices, or work on my device but fail on the reviewer's.

What Apple actually wants

After multiple rounds of review, here's what I learned Apple expects from AI-powered apps:

  • Transparency over cleverness. Don't hide AI behind a seamless UX. Make it visible and optional.
  • Granular consent. If you use AI for two different features, each needs its own consent. Users should understand exactly what they're agreeing to.
  • Real persistence. Consent stored only in local storage isn't enough. If a user reinstalls the app, their consent state should survive — which means server-side storage.
  • Revocability. Users must be able to turn off AI features after opting in. And the app must still be functional without them.

These are good requirements. They forced me to build better software. But discovering them through rejection cycles is painful and slow.

The emotional toll

There's a specific frustration that comes from having a working app, users waiting to try it, and a review process that moves on Apple's timeline, not yours. Each submission-rejection-fix-resubmit cycle takes days. You can't rush it. You can't call someone. You just wait, fix, and hope.

The indie dev forums are full of war stories like this. Knowing you're not alone helps, but it doesn't make the wait shorter.

WhispCal eventually passed review. The consent flow is solid, the privacy handling is thorough, and the app is better for it. But I'd be lying if I said the process was anything other than exhausting.